Looking beyond firewalls for security

Security, according to Helen Keller, is a superstition. It's found nowhere in nature, but we keep trying to achieve it, and there are many products on the market to help us. The most common - firewalls - are widely installed and continue to evolve with features and functionality.

But firewalls, posted at enterprise network portals to limit access from the Internet, are only part of a comprehensive security strategy. They don't provide protection from viruses that enter through e-mail servers, for example. Nor do they offer protection against individuals downloading or e-mailing content that could put your company at risk.

To address these security risks, you can look at secure content management (SCM) devices, such as antivirus and content-filtering products.

According to IDC's recent assessment of the SCM market, worldwide revenue in this segment reached 2 billion in 2001, representing a 22 percent growth rate over 2000. That growth was because of the increasingly sophisticated techniques that are being used to exploit security vulnerabilities. Forecasts for the market show it reaching US$4.8 billion in 2006.

Network World Global Test Alliance member Miercom last month kicked the tires of six antivirus products and six content-filtering devices to uncover vulnerabilities, assess features and determine how the products can be best deployed in corporate networks.

Overall, the products we examined worked well - detecting about 99.9 percent of the viruses we threw at them and blocking access to designated Web sites almost flawlessly.

But products that offered the most extensive security options were also harder to configure and use. We also uncovered some subtle vulnerabilities that, although not showstoppers, could pose some security risks.

Ease of use vs. granularity and featuresThree trends were clearly evident among the products we examined. First, security vendors are taking the ease of use issue seriously.

But the downside to ease of use results in a lack of scalability and granularity. The two products that were more time-consuming to implement, Symantec Corp.'s Norton Anti-Virus Corporate Edition and the F-Secure Corp. Anti-Virus for Workstations/Servers, also offered far more security options and flexibility in setting and defining security rules. Some security expertise is definitely required to work with these products.

The third trend is that many vendors are incorporating multiple security functions, such as antivirus, content-filtering and intrusion-detection systems (IDS) into one system.

CacheFlow Inc.'s Security Gateway 800 was unique, incorporating content filtering into its Web caching and acceleration appliance. The product reduces the load on existing firewalls by absorbing and filtering content from Web servers by protocol, such as HTTP or FTP traffic, file type, such as executables, and Multi-purpose Internet Mail Extensions. It also supports third-party virus scanners.

We focused on the antivirus and content-filtering capabilities of these products and did not examine their other capabilities.

Antivirus products

Estimates of how many viruses are generated worldwide on a weekly basis vary widely - from hundreds to thousands. The truth is probably somewhere in between. But even a hundred new viruses per week is a lot to keep up with, and no antivirus product will catch every new virus that comes along.

Security experts disagree as to whether it's even necessary for antivirus products to offer protection against a large number of known viruses, especially if they're not widely dispersed. But all agree that it's more important to assess and quickly report those, such as the Klez virus, that are most likely to have more widespread dispersion or are particularly malicious. Klez specifically targets Microsoft mail products. It invades users' personal address books, mailing viruses to and from those on a personal mailing list, creating a chain reaction that spreads rapidly.

Some antivirus vendors recommend daily updates of virus signature databases. All antivirus products we examined support the ability to schedule updates to occur automatically at scheduled, off-peak times to limit the affect on network performance.

Some vendors, including GFI Ltd. and F-Secure, support more than one antivirus scanning engine, offering the ability to multiply the user's chance of catching viruses on one engine that could be missed on another. GFI's Mail Security supports three engines, which scan incoming mail sequentially. Users can change the order of the scan to take advantage of the efficiencies of one engine over another.

An alternative to choosing a product with multiple engines is to deploy antivirus products from different vendors at various places in the network, with, for example, one on client and server machines and another on an e-mail gateway. But the downside is no central management of antivirus resources. Doing this also could increase bandwidth usage as different products download multiple sets of virus signatures.

Also an issue with antivirus products is deciding where to deploy them. Using antivirus software on e-mail servers prevents viruses from getting to server and client machines. This reduces the number of alarms an IT team has to deal with because the viruses are blocked at the e-mail gateway.

But e-mail-based antivirus products won't prevent someone from introducing viruses into a client machine through an infected diskette. Securing an e-mail gateway also won't protect against Web-borne viruses.

The WildList

All the antivirus products detected almost all our virus attacks, which consisted of four major categories of viruses: Web-borne script viruses, Trojan Horses, worms and legacy viruses. The object of our testing was to launch a broad set of viruses against the machines to look for common vulnerabilities.

Before testing, we collected viruses from a variety of sources, including some we had received in our own network and some taken from vx.netlux.org, a repository of virus source code and executable code.

We cross-referenced our test viruses against the WildList (www.wildlist.org), a repository of known viruses, developed in 1993. The WildList is an industry standard against which many vendors test and certify their products. Our attack list incorporated about 20 selected viruses. They included Melissa, Klez H., HTML Party, Nimda.A, CodeRed A., EvilBot and LoveLetter.

We uncovered only a minor vulnerability, and in doing so stepped into a war concerning the use of legacy and variant viruses to test antivirus products.

The Sophos Anti-Virus and Fortinet FortiGate 400 products did not detect a legacy virus and a variant of that virus we ran, while the F-Secure, GFI, Mitel and Symantec products did.

Sophos, Fortinet and other security vendors base their known virus signature databases primarily on those listed on the WildList, contending that viruses not on the list (referred to as "zoo" viruses) pose little threat (because they're old or were not widely distributed) to their end users.

We ran a variant virus to check the products' pattern-matching (or heuristics) abilities. In a variant virus the source code of a known virus is slightly modified, only enough to let it slip by an antivirus filter. Using heuristics, an antivirus product detects a suspicious pattern in the code, and even though it might not be able to name it, it flags it. The products we tested all supported this feature - some, such as Symantec and F-Secure - to a more granular level than others.

The argument for testing against the WildList is sound, but be aware that there is nothing to prevent someone from using the same public resources to create and launch virus attacks based on older viruses or to create variants of known viruses.

Content filtering

The main function of a content filter is to assess the top sites accessed within the network and block access to Web sites that a company determines objectionable (such as pornography, hate organizations and gambling) or time-wasting (shopping sites, sports and entertainment).

How and why an organization decides to use content-filtering products shouldn't be taken lightly. Issues involving the rights of the individual vs. the company, along with other legal liabilities, surround their use. Companies should clearly define why, where, when and how they use content filters across their networks.

To test the products' filtering abilities, we first perused the Internet to create a list of Web sites, which were divided among a number of typically objectionable categories, including adult content, hacking, shopping and gambling sites.

Using an open source utility called wget that downloads an entire Web site, we created a script that downloaded 65 Web sites on our "block" list. We then had each content-filtering device download all the items on our list to determine which were blocked and which weren't.

Overall, the products performed very well. A few missed one site or another. Symantec's Web Security missed one adult site; N2H2's Sentian failed to filter one pornography site; CacheFlow's Security Gateway 800 missed one gambling site.

We also checked whether it was possible to circumvent the products' content filters. To test this, we resolved the IP address of a known blocked site via a ping and attempted to access the site by entering the IP address in a Web browser in place of the URL.

We gained access via IP address to one known blocked site that used load balancing to access multiple servers and, therefore, had multiple IP addresses. Some of these IP addresses were not on our content-filter lists. We also determined that the DNS reverse-lookup capability on the site had been disabled, preventing us from resolving the IP address to the URL, which could then be used by the content filtering prods checked against our filter list. To correct this, we created an additional rule on our content filters to block sites that could not be resolved to a URL.

A differentiating factor among content filters is their ability to filter based not only on a word but also on the context in which a word is used. Symantec's Web Security was the only product that supported Dynamic Document Review, which provides granular context-sensitive scanning of a Web page to check the context of questionable words that might otherwise be blocked by a content filter. This prevents blocking, for example, a page containing references to "sex education" or "breast cancer."

The content-filtering products were all fairly easy to integrate into our network with minimal downtime. We plugged the products inline, and they were functioning in less than 1 minute. Most products also easily integrated with directories and user groups that already were set up on our network.

We encountered an interesting deployment issue on Surf Control's Web Filter. The product, which resides between client machines and the Internet, passively captures traffic. If it detects a user trying to access a blocked site, it spoofs the blocked URL, sending an access denied message back to the user.

Because of the specific setup required on the Web Filter product, letting it capture and transmit data on the network, we could not use the device on our Extreme Summit 48 switch, which supports only receive transmission on its mirroring port. (We connected Web Filter to a hub.) Presumably, Web Filter would have worked on a switch that supported transmit and receive traffic on its port mirror.

While we typically think of content filtering in the context of blocking access to Web sites, it is also applicable to content leaving and entering a corporate network via e-mail.

SurfControl offers a product called E-mail Filter, which supports filtering and routing of e-mail based on a variety of rule sets. E-mail that doesn't match the rules invokes triggers that isolate, discard, allow or delay it.

The SurfControl E-Mail Filter we examined didn't support the capability of filtering internal e-mail, but the vendor offers a version of E-mail Filter that integrates into Microsoft Exchange and lets you scan incoming and outgoing internal mail.

One vulnerability on all the content filtering products is that there was nothing to prevent someone whose computer is blocked from accessing a certain site from using another person's computer to access those sites if that PC was not properly locked down.

The human factor

While content filters and antivirus products might play a key role in a company's overall security, it's also important to determine how people can circumvent even the best-laid security plans.

All the security products in the world won't protect a network against user error, lack of training on security procedures, improper configuration, incorrect use of passwords or malicious intent from within.

Humans have a knack for figuring out how to circumvent security devices, and many also like the challenge.

Yocom is senior editor and Frigo and Van Derveer are test engineers at Miercom, an independent testing lab in Princeton Junction, N.J. They can be reached at byocom@mier.com; mfrigo@mier.com; and dvanderveer@mier.com.

How context-sensitive is the content filter? Will it block more than you want? you want?

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.